ASP.NET Forms Authentication Blocks Images and CSS Files

If you use the ASP.NET Forms Authentication in your web application that runs on IIS 7 or above with the integrated pipeline application pool, you may find that the images and the styles of your application are not displayed until you are logged in (authenticated). If you encounter this problem, here is the solution to fix it.

First, let me take one step back to explain why the problem happens. If you look at your web.config file, you will most likely see a property in the <modules> section as follows:

<modules runAllManagedModulesForAllRequests="true" />

If you have implemented the Forms Authentication in your application, this line of code, when is set to true, tells ASP.NET to protect all contents in your application, including the images and css files from all unauthenticated users. So if you have images and styles on your login page, then they will not display. This is new in IIS 7 and above. To ensure the backwards compatibility, IIS 7 and above uses a precondition for the default configuration for all managed modules. So, by default, ASP.NET should only protect requests handled by a managed handler, such as .aspx or .asmx files, because of the precondition. However, the above line in the web.config when set to true will ignore the precondition, and thus all requests are handled by the managed handler.

Based on the information, the quick and dirty fix will be set the above line to false or simply remove the line from your web.config.

<modules runAllManagedModulesForAllRequests="false" />

But what if your web application requires high security and you DO need to protect files other than .aspx and .asmx files? So the better solution will be set the above line to true, and at the same time to use <location> for your image files and css files to bypass the authentication.

<location path="Styles">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
  <location path="App_Themes">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
</location>

However, there is one more problem with the solution above. If your site has heavy traffic,

runAllManagedModulesForAllRequests="true" will force all requests to be handled by managed modules which will increase the load of your application, besides, you may only need some managed modules to handle all requests regardless of content, but for other modules, they can use the default configuration to handle the request. To do this, you will need to identify what modules should handle all requests regardless of content, for instance, the Forms Authentication Module and the URL Authorization Module; then modify the <module> property of your web.config file as follows:

  <system.webServer>
    <!--<modules runAllManagedModulesForAllRequests="false" />-->
    <modules>
      <remove name="FormsAuthenticationModule" />
      <add name="FormsAuthenticationModule"
           type="System.Web.Security.FormsAuthenticationModule" />

      <remove name="UrlAuthorization" />
      <add name="UrlAuthorization"
           type="System.Web.Security.UrlAuthorizationModule" />

      <remove name="DefaultAuthentication" />
      <add name="DefaultAuthentication"
           type="System.Web.Security.DefaultAuthenticationModule" />
    </modules>
  </system.webServer>

This change combined with the <location> tag will allow ASP.NET to display the images and the style on your page, without causing security issues.

Hope this helps.

References:

5
Leave a Reply

avatar
5 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
5 Comment authors
Rafael SousaVIkantAndrew KoranskyLori LattaAlia Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Alia
Guest
Alia

Thank You SOOOOOOOOOOOOOOOO Much. 🙂
 
Good Luck

Lori Latta
Guest

Thank you so for posting this, I was trying everything I could think of.  I am just starting to use Asp.Net 4.0 and I knew it was something related to that.  

Andrew Koransky
Guest

Thanks for this post!  When I use <modules runAllManagedModulesForAllRequests="true" />, my site works great! But when I use the <modules> section to add FormsAuthenticationModule, UrlAuthorization, and DefaultAuthentication, a particular authorization rule in my site goes haywire in ASP.NET 4.0 Integrated Pipeline. My site has one directory that has a web.config with a authorization rule (<deny users="?" />).  This works great in all situations outlined in your article, able to access subdirectories, etc .  But I have another directory with authorization rules <allow roles="SuperAdmin,Administrator" /> followed by <deny users="*" />.  I can access all files in the immediate directory when authenticated, but accessing ANYTHING in… Read more »

VIkant
Guest
VIkant

Many thanks, simpy excellent, it works!!!

Rafael Sousa
Guest
Rafael Sousa

Thank you very much. Very good explanation.

I noticed differences when tested  the modules and config within my application inside an IIS web site (http://mydomain/app). I mean when the app is not configured in the root context the images and css are not displayed even with any settings combination suggested.